From 7562d97b6090a36395f0c95b54f5d5ecd6bfc01f Mon Sep 17 00:00:00 2001
From: Daniel Mack <daniel@zonque.org>
Date: Fri, 13 Mar 2015 15:48:41 +0100
Subject: [PATCH RFC] netfilter: x_tables: implement cgroup matching for skb->sk == NULL

For skbs which do not have a socket assigned (which is at least the case
for every first packet in a stream), the cgroup matching code currently
bails out early, which makes cgroup rules ineffective. Only subsequently
received packets of the stream (if any) are caught.

In order to use this type of matches for a per-application firewall, we
need to make sure to catch all packets, including the first one.

This patch adds code to look up listening TCP and UDP sockets in case
the skb does not have a socket assigned yet. If one is found, the
cgroup match is done against the class ID of the found socket. As this
makes the implementation specific to tcp/udp, the module now has to
implement match functions for both IPv4 and IPv6.

Signed-off-by: Daniel Mack <daniel@zonque.org>
---
 net/netfilter/xt_cgroup.c | 141 ++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 124 insertions(+), 17 deletions(-)

diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
index 7198d66..766732f 100644
--- a/net/netfilter/xt_cgroup.c
+++ b/net/netfilter/xt_cgroup.c
@@ -16,7 +16,10 @@
 #include <linux/module.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_cgroup.h>
+#include <net/inet6_hashtables.h>
 #include <net/sock.h>
+#include <net/tcp.h>
+#include <net/udp.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Daniel Borkmann <dborkman@redhat.com>");
@@ -35,37 +38,141 @@ static int cgroup_mt_check(const struct xt_mtchk_param *par)
 }
 
 static bool
-cgroup_mt(const struct sk_buff *skb, struct xt_action_param *par)
+cgroup_mt_ipv4(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_cgroup_info *info = par->matchinfo;
+	struct sock *sk = skb->sk;
+	bool ret;
 
-	if (skb->sk == NULL)
-		return false;
+	if (!sk) {
+		const struct iphdr *iph = ip_hdr(skb);
+		struct udphdr hdr, *hp;
 
-	return (info->id == skb->sk->sk_classid) ^ info->invert;
+		hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(hdr), &hdr);
+		if (!hp)
+			return false;
+
+		switch (iph->protocol) {
+		case IPPROTO_UDP:
+			sk = udp4_lib_lookup(dev_net(skb->dev),
+					     iph->saddr, hp->source,
+					     iph->daddr, hp->dest,
+					     par->in->ifindex);
+			break;
+
+		case IPPROTO_TCP:
+			sk = __inet_lookup(dev_net(skb->dev), &tcp_hashinfo,
+					   iph->saddr, hp->source,
+					   iph->daddr, hp->dest,
+					   par->in->ifindex);
+			break;
+
+		default:
+			break;
+		}
+
+		if (!sk)
+			return false;
+	}
+
+	ret = (info->id == sk->sk_classid) ^ info->invert;
+
+	if (sk != skb->sk)
+		sock_gen_put(sk);
+
+	return ret;
+}
+
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+static bool
+cgroup_mt_ipv6(const struct sk_buff *skb, struct xt_action_param *par)
+{
+	const struct xt_cgroup_info *info = par->matchinfo;
+	struct sock *sk = skb->sk;
+	bool ret;
+
+	if (!sk) {
+		const struct ipv6hdr *iph = ipv6_hdr(skb);
+		struct udphdr hdr, *hp;
+		int tproto, thoff = 0;
+
+		tproto = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);
+		if (tproto < 0)
+			return false;
+
+		hp = skb_header_pointer(skb, thoff, sizeof(hdr), &hdr);
+		if (!hp)
+			return false;
+
+		switch (tproto) {
+		case IPPROTO_UDP:
+			sk = udp6_lib_lookup(dev_net(skb->dev),
+					     &iph->saddr, hp->source,
+					     &iph->daddr, hp->dest,
+					     par->in->ifindex);
+			break;
+
+		case IPPROTO_TCP:
+			sk = inet6_lookup(dev_net(skb->dev), &tcp_hashinfo,
+					  &iph->saddr, hp->source,
+					  &iph->daddr, hp->dest,
+					  par->in->ifindex);
+			break;
+
+		default:
+			break;
+		}
+
+		if (!sk)
+			return false;
+	}
+
+	ret = (info->id == sk->sk_classid) ^ info->invert;
+
+	if (sk != skb->sk)
+		sock_gen_put(sk);
+
+	return ret;
 }
+#endif
 
-static struct xt_match cgroup_mt_reg __read_mostly = {
-	.name       = "cgroup",
-	.revision   = 0,
-	.family     = NFPROTO_UNSPEC,
-	.checkentry = cgroup_mt_check,
-	.match      = cgroup_mt,
-	.matchsize  = sizeof(struct xt_cgroup_info),
-	.me         = THIS_MODULE,
-	.hooks      = (1 << NF_INET_LOCAL_OUT) |
-		      (1 << NF_INET_POST_ROUTING) |
-		      (1 << NF_INET_LOCAL_IN),
+static struct xt_match cgroup_mt_reg[] __read_mostly = {
+	{
+		.name       = "cgroup",
+		.revision   = 0,
+		.family     = NFPROTO_IPV4,
+		.checkentry = cgroup_mt_check,
+		.match      = cgroup_mt_ipv4,
+		.matchsize  = sizeof(struct xt_cgroup_info),
+		.me         = THIS_MODULE,
+		.hooks      = (1 << NF_INET_LOCAL_OUT) |
+			      (1 << NF_INET_POST_ROUTING) |
+			      (1 << NF_INET_LOCAL_IN),
+	},
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+	{
+		.name       = "cgroup",
+		.revision   = 0,
+		.family     = NFPROTO_IPV6,
+		.checkentry = cgroup_mt_check,
+		.match      = cgroup_mt_ipv6,
+		.matchsize  = sizeof(struct xt_cgroup_info),
+		.me         = THIS_MODULE,
+		.hooks      = (1 << NF_INET_LOCAL_OUT) |
+			      (1 << NF_INET_POST_ROUTING) |
+			      (1 << NF_INET_LOCAL_IN),
+	},
+#endif
 };
 
 static int __init cgroup_mt_init(void)
 {
-	return xt_register_match(&cgroup_mt_reg);
+	return xt_register_matches(cgroup_mt_reg, ARRAY_SIZE(cgroup_mt_reg));
 }
 
 static void __exit cgroup_mt_exit(void)
 {
-	xt_unregister_match(&cgroup_mt_reg);
+	xt_unregister_matches(cgroup_mt_reg, ARRAY_SIZE(cgroup_mt_reg));
 }
 
 module_init(cgroup_mt_init);
-- 
2.3.2